> That seems like a kernel flaw - it makes sense that you can't _add_ > capabilities without CAP_SETPCAP, but being unable to _drop_ > capabilities without first acquiring a capability seems backwards. You cannot add capabilities to the bounding set at all. It is a one-way street. /me learned a lot of things while writing these two patches. In fact, capng_apply(CAPNG_SELECT_BOUNDS) will never fail, but I preferred to be conservative in patch 1 just in case this changes in the future. > Hmm, this seems like we may want it for 1.0.4 I do not think so, there should not be any cases right now where unprivileged libvirt calls a setuid helper. Paolo -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list